Data & Cyber 数据及网络

Expect increased enforcement action

17 April 2020

Share

As we enter a new decade and in this year of the rat, we look - in a series of articles - at tech developments in APAC, with a particular emphasis on the jurisdictions of Australia, China, Hong Kong and Singapore.

The key developments to note are in:

AI: The use of AI, whilst creating huge opportunities in areas such as financial services, healthcare and autonomous vehicles, also brings the potential for significant legal, ethical and reputational exposure. APAC regulators have been considering these risks and we look at the various guidelines and ethical frameworks that have been published. [Read the first article in this series focussing on AI developments and outlook]

Crypto-assets: Globally, crypto-assets were hardly out of the press (or the crosshairs of regulators) in 2019 and early 2020 with Facebook's proposed stablecoin Libra in its various iterations taking the lion's share of headlines. In APAC, we saw national initiatives in crypto-regulation in Hong Kong, Singapore and Australia and some of the first crypto-cases. [Read the second article in this series focussing on Crypto-assets ]

Big Tech and Data: Big Tech firms refer to large companies with established technology platforms such as Alibaba, Amazon, Facebook, Google and Tencent. The financial services offerings of Big Tech firms are expected to grow with anti-trust and data privacy concerns arising from their significant resources and widespread access to customer data.

Patent and IP Protection and Alternative Dispute Resolution: Arbitration is becoming an increasingly popular method of resolving IP disputes in light of its advantages including confidentiality, choice of specialist arbitrators and enabling the avoidance of multiple parallel proceedings in different jurisdictions. Various developments in arbitration in Hong Kong and Singapore in 2019 will facilitate this. We anticipate an increase in arbitration of FRAND / SEP and other patent and IP disputes, consistent with the growth of IP and technology disputes in previous years. [Read the final article in this series on patents and IP]

Over the course of four articles we will be looking in more detail at each of these areas. In this third part of the series we focus on Big Tech and Data Protection

Big Tech and Data Protection

In collaboration with Forbes Insights, we surveyed 300 senior business executives including CEOs and CFOs from companies with revenues of at least US$1 billion from major industries around the globe regarding aspects of tech driven growth including big data. 44% were found to be using big data with 34% exploring the same. However, despite the perceived level of expertise, business remained concerned. Even though 44% consider their businesses well equipped to deal with big data related legal and regulatory issues and 49% say the level of expertise across their boards of directors is high or very high, concern remained with 43% saying data management and governance are their top concern relating to tech-driven growth and the same percentage concerned about cybersecurity and privacy protection implementation. For guidance on a proactive approach to tech-driven growth, see our Ready, Steady, Grow Report.

Whether businesses are well equipped to deal with legal and regulatory issues is a concern as Big Tech and data protection remain high on regulators’ agendas; Margrethe Vestager, Vice President of the European Commission, stated that Big Tech should have to show how it helps consumers, rather than merely that it does not harm them. The financial sector implications are expounded in the Financial Stability Board's December 2019 report BigTech in finance: Market developments and potential financial stability implications which made clear that policymakers must consider the need for financial regulation and oversight.

For context, Big Tech firms refer to large companies with established technology platforms such as Alibaba, Amazon, Facebook, Google and Tencent. The financial services offerings of Big Tech firms are expected to grow with anti-trust and data privacy concerns arising from their significant resources and widespread access to customer data.

2019 Developments and Review

Big Tech and Data in Australia

In October 2019, Google was in the limelight for the Australian Competition and Consumer Commission (ACCC) commencing action against it in the Federal Court. The ACCC alleged that Google has engaged in misleading or deceptive conduct, in contravention of the Australian Competition and Consumer Act 2010 (Cth), in relation to misleading statements as to location data linked to individuals that Google collects, keeps and uses as part of its advertising business. The ACCC has stated that this is the first time a regulator anywhere in the world has taken on Google over alleged misuse of personal data of its users and the ACCC is seeking significant penalties and other orders such as that Google implement a competition law compliance program. For further discussion, see our December 2019 article - Just a click away - the Australian Competition and Consumer Commission takes on Google.

At around the same time (November 2019), Google announced the acquisition of Fitbit, which is likely to attract close regulatory scrutiny from a number of competition authorities, including further scrutiny from the ACCC, due to competition and privacy concerns. This is in the context of the worldwide discussion surrounding "killer acquisitions" whereby a dominant firm acquires a potential competitor with the ultimate purpose (or effect) of eliminating competition. The discussion centres on the digital sector as incumbent tech firms, such as Google and Facebook, seek to acquire innovative start-ups.

Following on from its Digital Platform Inquiry culminating in its final report in July 2019, the ACCC has recommended that additional statutory considerations be incorporated into the section 50(3) merger factors and that large digital platforms be required to give advance notice of proposed acquisitions (where Australia's merger control regime is otherwise voluntary). Whilst neither recommendation materially changes the current substantive merger control framework or test under Australia's competition laws, they do signal that strategic acquisitions that give advantages of scope, remove potential competition and/or involve the combination of valuable data sets (in any industry) will receive close regulatory scrutiny. For further discussion, see our December 2019 article - The ACCC sets pulses racing on killer acquisitions.

Personal Data Protection in Hong Kong and Singapore

In terms of protection and security of personal data and data privacy in APAC, in March 2019, the Hong Kong Privacy Commissioner issued specific guidance for data protection in fintech. It highlighted privacy risks such as the collection and use of large amounts of personal data without a user's notice, and the risks of data leakage or interception during transmission. It recommends taking both administrative measures (for example, implementing policies and procedures) and technical security measures (for example, encryption and safe erasure methods) to protect data.

In August 2019, MAS issued the Notice on Cyber Hygiene which sets out the measures that financial institutions must take to mitigate the growing risk of cyber threats. The Notice makes compulsory key elements in the existing MAS Technology Risk Management (TRM) Guidelines. Financial institutions have 12 months to prepare for these measures before the requirements come into effect on 6 August 2020. See pages 8-9 of our August 2019 international regulatory update.

In October 2019, the Singapore Personal Data Protection Commission (PDPC) introduced a new chapter on cloud services in the Advisory Guidelines for Selected Topics. The new chapter aims to provide clarity on the responsibilities of organisations using cloud services to process personal data in the cloud, as well as the responsibilities of cloud service providers when processing personal data on behalf and for the purposes of organisations. The Commission also revised the Advisory Guidelines on Key Concepts to provide clarity on obligations where personal data is transferred overseas and dealing with access requests.

In March 2020, the PDPC and the Office of the Australian Information Commissioner signed a memorandum of understanding to strengthen cooperation in personal data protection. This includes jointly promoting the Asia Pacific Economic Cooperation Cross Border Privacy Rules System and encouraging industries to adopt the same to ensure robust cross-border data protection standards; developing compatible and interoperable data transfer mechanisms to ensure businesses operating in both countries can transfer data and meet requisite regulations, and mutual assistance in joint investigations involving cross-border data incidents. This followed a memorandum of understanding signed between the PDPC and the Hong Kong Privacy Commissioner in May 2019, and at the same time, as part of the enhanced cooperation, a guide to data protection by design for information and communications technology systems was released.

Personal Data Protection in China

As for China, the provisions of the 2017 PRC Cybersecurity Law currently serve as data protection provisions. The Cybersecurity Law applies to all network operators, which are broadly defined. Whilst it is not as comprehensive or detailed as the GDPR, there are parallels in how concepts are dealt with and key terms defined. In certain respects, Cybersecurity Law requirements are more stringent than GDPR.

Other than a general focus on personal data protection reform by China, this has extended to measures regulating data collection and use by app operators, and encryption and internet content governance.

The Standing Committee of the National People's Congress passed the Encryption Law in October 2019, which regulates entities encrypting digital information in the public and private sectors (depending on the type of information) and seeks to define the responsibilities of such entities. The law came into effect on 1 January 2020.

In November 2019, the Cyberspace Administration of China issued guidance for mobile internet apps, emphasising the need for users' consent; avenues for correction or deletion of data; data collection and use rules, and self-inspection and correction. The National Information Security Standardisation and Technical Committee (NISSTC) also issued a draft specification on the same topic for public consultation by March 2020.

Again, on the same topic, the People's Bank of China issued draft regulations in the context of mobile financial application software in December 2019 for public consultation by January 2020. Measures, particularly important in the context of sensitive personal financial data, such as data encryption, access control, secure transmission and signature verification, were provided for, as well as prohibiting illegal sale or leakage of such data.

Chinese legislators have been working on consolidating the existing concept of personal data and strengthening avenues for aggrieved parties through the civil law system (as opposed to administrative enforcement) into a draft Civil Code, which was published for public comment on 28 December 2019 and is expected to be adopted in 2020. For more, see our previous article discussing legal updates from China and Hong Kong.

In terms of internet content regulation and governance, the Cyberspace Administration of China regulations (effective March 2020) discuss monitoring and auditing posted and advertisement content and contingency measures for false or prohibited content including content spreading rumours or defaming national unity and heroes, and the appointment of the equivalent of a responsible officer for such monitoring. It also prohibits illegal activity such as account manipulation, and encourages inter-agency information sharing and enforcement.

2020 outlook

With Big Tech and fintech on regulators' agendas, we expect increased enforcement action against large data-heavy organisations, as well as those in financial services and beyond that rely on, or work closely with, data-driven businesses by antitrust, data and industry-specific or sectoral regulators such as financial or cybersecurity regulators. We may also see more disputes arising out of sharing and use of Big Data between technology collaborators. Indeed, the ACCC were directed by the Australian government in February 2020 to undertake two new inquiries reviewing over 18 months digital advertising technology and agency services and over five years, digital platforms and data brokers including their digital advertising services and data practices.

There is also potential for more scandals around data poisoning. As more products are being launched in 2020 using personal data and business data, businesses may not necessarily be considering the source of the data. This can leave them vulnerable and open to lack of control. As for China, moving on from piecemeal provisions in the Cybersecurity Law and Civil Code, it has been announced that a comprehensive data protection framework will be introduced by way of a new Personal Data Protection Law and Data Security Law in 2020.

Hong Kong is also set to see amendments to the Personal Data (Privacy) Ordinance (PDPO). The government published a paper for discussion in the Legislative Council (LegCo) in January 2020. Further study will take place with no time for tabling a bill yet indicated. The six main proposals for reform are:

mandatory data breach notification;

requirements for a clear data retention policy;

power of the Privacy Commissioner to directly impose administrative fines;

direct regulation of data processors and sub-contractors;

broadening the definition of personal data to encompass that relating to an "identifiable" natural person, as opposed to the current reference to an "identified person", and

amendments to address doxing.

Notable areas not mentioned for reform are cross-border data transfer, and sensitive data such as biometric and medical data.